Criminal forum trading stolen data suffers ironic data breach

Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.

Another rich cache full of sensitive company data, or perhaps something stolen from a military power?

In fact, according to the security company that verified its authenticity, Cyble, this is data that a specialised group of internet users will find far more interesting – a database of criminal account holders of the now defunct breach data trading forum.

Such sites have sprung up in the wake of a tidal wave of public data breaches, giving criminals a one-stop shop for accessing the stuff without having to do unnecessary legwork.

But, of course, these sites themselves are vulnerable to the same hazard they trade in – namely having their own account data stolen.

It seems the WeLeakData site went offline in January, which gave rise to the idea that this might somehow be connected to the FBI’s seizure of similar-sounding site

That connection remains unconfirmed – as do separate reports that the site admins were arrested by Europol – but not long after WeLeakData came down, a new site called suddenly appeared with all the same data.

In April, Cyble’s suspicions that this was evidence of a data breach was confirmed when it discovered had been put up for sale.

Investigating further, this data turned out to contain nuggets such as email addresses of account holders, their usernames, hashed passwords, and IP addresses – pretty much what would be part of any data breach. The haul also contained private messages between criminal members.

Assuming they don’t already have the data, this is the sort of thing that would be of big interest to law enforcement not to mention rival criminals.

How useful, of course, would depend on how careless normally paranoid criminals were about the IP addresses and email addresses they used when logging in, but even fragments of their activity could be enough to unmask them when combined with other information.

For now, it’s highly unlikely that WeLeakData is coming back:

Cyble researchers have verified the alias of WeLeakData owner is unresponsive and unreachable, however, the arrest claim is unverified at the time of writing this. Several cybercrime operators have mentioned that their operations have been disrupted due to the crackdown.

It seems that running cybercrime forums trading in stolen data has become a lot riskier these days.

In addition to the WeLeakInfo bust already mentioned, a separate forum called LeakedSource was taken down in late 2016. A Canadian citizen was later charged (and subsequently pleaded guilty) to being the admin behind that operation.

A year after that, an operation called suddenly disappeared.

Few will mourn their passing and ever fewer perhaps the irony of data thieves who – for once – find themselves on the receiving end.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.